Privacy policy

Incidences

Privacy policy

Introduction
This Privacy Policy has been drawn up in accordance with the provision of the Organic Data Protection Law currently in force, as well as by Regulation 2016/679 of the European Parliament and the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, hereinafter referred to as the GDPR.
The aim of this Privacy Policy is to inform all personal data holders whose data are being collected of a series of specific aspects regarding the processing thereof. This includes, but is not limited to, the purpose of said processing, the contact details enabling them to exercise the rights to which they are entitled, data conservation periods and security measures.

Data processing
Where appropriate, the personal data requested shall be limited solely to those that are strictly necessary in order to identify and process the request made by the holder thereof, hereinafter the interested party. Said information shall be processed in a loyal, lawful and transparent manner in relation to the interested party. Likewise, the personal data shall be collected for explicit and legitimate ends and shall not be processed in a manner that is not compatible with these purposes at any later time.
The data collected from each interested party shall be appropriate, pertinent and not excessive, in accordance with the corresponding purposes for each case, and shall be updated whenever necessary. The data owners shall receive prior notification that their data are to be collected as well as the general limits regulated by means of this policy, thereby enabling them to give their specific, precise and unequivocal consent for the processing of their data, in accordance with the following considerations:

Processing purposes
The specific purposes for which each processing operation is carried out are specified in the information clauses included in each of the data collection means (online forms, paper forms, verbal announcements or posters and notices). Notwithstanding the above, data of a personal nature shall be processed for the sole purpose of providing an effective response to and dealing with the requests and enquiries made by users, specified next to the option, service, form or data collection method used by the data holder.

Legitimation
As a general rule, and prior to processing any personal data, Compañía de Tranvías de A Coruña obtains the specific and unequivocal consent of the data owners by including informed consent clauses in the various data collection systems. Notwithstanding the above, in the event that the consent of the interested party is not required, the legal basis on which Compañía de Tranvías de A Coruña may act is the existence of a law or specific regulation authorising or requiring the processing of the interested party’s data.

Recipients
As a general rule, Compañía de Tranvías de A Coruña shall not communicate or transfer the data to third parties unless legally required to do so. Notwithstanding the above, should it prove necessary, the interested party shall be duly informed of any such communication or transfer by means of the informed consent forms included in the various personal data collection methods.

Origin
As a general rule, personal data are always collected directly from the interested party. Notwithstanding the above, under certain exceptions, data may be collected via third parties, organisations or services other than the interested party. Should this occur, the interested party shall be duly informed via the informed consent clauses included in the various data collection methods and within a reasonable time period following the collection thereof, which under no circumstances shall exceed one month.

Data conservation periods
The information collected from the interested party shall be conserved as long as necessary in order to comply with the purpose for which the personal data were collected. Once this purpose has been met, the data shall be cancelled. This cancellation shall give rise to the blocking of the data, which shall only be conserved in order to be made available to the Public Administrations, Courts and Tribunals in order to answer to any possible responsibilities arising from their processing, during the prescription period thereof. Once said period has ended, the information shall be destroyed. For your information, below is a list of the data conservation periods stipulated by law in relation to various issues:

DOCUMENT

PERIOD

LEGAL REFERENCE

Documents related to labour or social security issues

4 years

Article 21 of Legislative Royal Decree 5/2000 of 4th August, passing the consolidated text for the Law on Infractions and Sanctions in the Social Order

Tax and accounting documents for trading purposes

6 years

Article 30 of the Code of Commerce

Tax and accounting documents for taxation purposes

4 years

Articles 66 – 70 of the General Tax Act

Building access controls

1 month

Spanish Data Protection Agency Instruction 1/1996

Video surveillance

1 month

Spanish Data Protection Agency Instruction 1/2006
Organic Law 4/1997

Browser data
In relation to the browser data that may be processed via the website, if data subject to the regulations are collected, you are advised to consult the Cookies Policy posted on our website.

Interested party rights
Regulations regarding data protection entitles interested parties, data owners or users of Compañía de Tranvías de A Coruña social media to a series of rights. The rights protecting interested parties are listed below:
– Right of access: the right to obtain information as to whether their data are being processed, the purpose of any such processing, the data categories included, the recipients or recipient categories, conservation periods and the origin of said data.
– Right of rectification: the right to rectification of inexact or incomplete personal data.
– Right of suppression: the right to the suppression of data under the following circumstances:

When the data are no longer needed for the purpose for which they were collected

When the owners thereof withdraw their consent

When the interested party opposes processing

When suppression is mandatory due to a legal requirement

When the data have been obtained by virtue of an information society service in accordance with the provisions of article 8, section 1 of the EU General Data Protection Regulation.

– Right of opposition: the right to oppose specific processing based on the consent of the interested party.
– Right of limitation: the right to data processing limitation in any of the following circumstances:

When the interested party impugns the accuracy of the personal data within a period that enables the company to determine their accuracy.

In the event of unlawful processing and opposition by the interested party to the suppression of the corresponding data.

When the company no longer requires the data for the purpose for which they were collected, but are required by the interested party in order to present, exercise or defend a claim.

When the interested party has opposed processing whilst it is determined whether the company’s legitimate motives prevail over those of the interested party.

Interested parties may exercise the aforementioned rights by writing to the Compañía de Tranvías de A Coruña at lopd@tranviascoruna.com, stating on the subject line the right they wish to exercise.

In this sense, Compañía de Tranvías de A Coruña shall deal with the request at the earliest possible opportunity, taking into consideration the periods stipulated in data protection regulations.

Furthermore, it must be remembered that interested parties or data owners may file a claim before the corresponding authorities at any time.

Security
The security measures adopted by Compañía de Tranvías de A Coruña comply with legal requirements, pursuant to the provisions of article 32 of the GDPR. In this sense, Compañía de Tranvías de A Coruña, considering prior art, application costs and the nature, scope, context and purposes of processing, as well as the variable risks of likelihood and gravity for the rights and liberties of natural persons, has implemented suitable technical and organisational measures in order to guarantee correct level of security in line with the degree of risk.
At all events, Compañía de Tranvías de A Coruña has established sufficient mechanisms in order to:
a) Guarantee the ongoing confidentiality, integrity, availability and resilience of the processing services and systems.
b) Restore availability and access to personal data rapidly in the event of a physical or technical incident.
c) Regularly check, assess and consider the efficiency of the technical and organisational measures implemented in order to guarantee secure processing.
d) Pseudonomise and encrypt personal data, as and when appropriate.